ConsentFix v3 attacks target Azure with automated OAuth abuse

Published:

2 mei 2026 om 14:32:25

Alert date:

2 mei 2026 om 15:01:22

Source:

bleepingcomputer.com

Cloud & Virtualization, Identity & Access

A new automated attack technique called ConsentFix v3 is targeting Microsoft Azure environments through OAuth abuse mechanisms. This attack builds upon previous ConsentFix techniques by adding automation capabilities and enhanced scaling potential. The attacks are being discussed and shared on underground hacker forums, indicating growing adoption among threat actors. The technique exploits OAuth consent flows in Azure to gain unauthorized access to cloud resources. This represents an evolution of OAuth-based attacks against cloud infrastructure with increased sophistication and automation capabilities.

Technical details

ConsentFix v3 is an automated OAuth abuse attack targeting Microsoft Azure that exploits OAuth2 authorization code flow and first-party Microsoft apps that are pre-trusted and pre-consented. The attack uses Pipedream as a webhook endpoint, automation engine, and token collector. Attackers deploy phishing pages on Cloudflare Pages, trick victims into providing OAuth authorization codes, then exchange these codes for refresh tokens to access Microsoft environments including email, files, and other services.

Mitigation steps:

Apply token binding to trusted devices
Set up behavioral detection rules
Apply app authentication restrictions
Monitor for unauthorized OAuth flows
Implement additional verification for first-party app permissions

Affected products:

Microsoft Azure
Microsoft OAuth2
Azure CLI
Outlook
Tutanota
Cloudflare Pages
DocSend
Hunter.io
Pipedream
Specter Portal